From f4669bf3f5113ac591d9d54f2a8acc92e0309e27 Mon Sep 17 00:00:00 2001 From: Daniel Goldberg Date: Wed, 12 Sep 2018 19:32:01 +0300 Subject: [PATCH 1/6] Make monkey always try to ping the remote machine. This catches more events for the cross segment analyser --- monkey/infection_monkey/monkey.py | 3 +-- monkey/infection_monkey/network/network_scanner.py | 13 +++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index 30eb57f1c..7fe31da40 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -129,8 +129,7 @@ class InfectionMonkey(object): if not self._keep_running or not WormConfiguration.alive: break - machines = self._network.get_victim_machines(WormConfiguration.scanner_class, - max_find=WormConfiguration.victims_max_find, + machines = self._network.get_victim_machines(max_find=WormConfiguration.victims_max_find, stop_callback=ControlClient.check_for_stop) is_empty = True for machine in machines: diff --git a/monkey/infection_monkey/network/network_scanner.py b/monkey/infection_monkey/network/network_scanner.py index 2ccdfe74c..44ebbf3f2 100644 --- a/monkey/infection_monkey/network/network_scanner.py +++ b/monkey/infection_monkey/network/network_scanner.py @@ -6,7 +6,7 @@ from infection_monkey.config import WormConfiguration from infection_monkey.network.info import local_ips, get_interfaces_ranges from infection_monkey.model import VictimHost from infection_monkey.network import HostScanner - +from infection_monkey.network import TcpScanner, PingScanner __author__ = 'itamar' LOG = logging.getLogger(__name__) @@ -62,7 +62,7 @@ class NetworkScanner(object): return subnets_to_scan - def get_victim_machines(self, scan_type, max_find=5, stop_callback=None): + def get_victim_machines(self, max_find=5, stop_callback=None): """ Finds machines according to the ranges specified in the object :param scan_type: A hostscanner class, will be instanced and used to scan for new machines @@ -70,10 +70,9 @@ class NetworkScanner(object): :param stop_callback: A callback to check at any point if we should stop scanning :return: yields a sequence of VictimHost instances """ - if not scan_type: - return - scanner = scan_type() + TCPscan = TcpScanner() + Pinger = PingScanner() victims_count = 0 for net_range in self._ranges: @@ -94,9 +93,11 @@ class NetworkScanner(object): continue LOG.debug("Scanning %r...", victim) + pingAlive = Pinger.is_host_alive(victim) + tcpAlive = TCPscan.is_host_alive(victim) # if scanner detect machine is up, add it to victims list - if scanner.is_host_alive(victim): + if pingAlive or tcpAlive: LOG.debug("Found potential victim: %r", victim) victims_count += 1 yield victim From d0998fc4f606c0a4e866e32f8b479ddc423b3827 Mon Sep 17 00:00:00 2001 From: Daniel Goldberg Date: Wed, 12 Sep 2018 19:33:46 +0300 Subject: [PATCH 2/6] Remove scanner class from configuration --- monkey/infection_monkey/config.py | 1 - monkey/infection_monkey/example.conf | 1 - monkey/monkey_island/cc/services/config.py | 2 +- 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py index 4a63c082b..531b7d6dd 100644 --- a/monkey/infection_monkey/config.py +++ b/monkey/infection_monkey/config.py @@ -133,7 +133,6 @@ class Configuration(object): # how many scan iterations to perform on each run max_iterations = 1 - scanner_class = None finger_classes = [] exploiter_classes = [] diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf index 0779301d2..8e89bcc2a 100644 --- a/monkey/infection_monkey/example.conf +++ b/monkey/infection_monkey/example.conf @@ -64,7 +64,6 @@ "smb_download_timeout": 300, "smb_service_name": "InfectionMonkey", "retry_failed_explotation": true, - "scanner_class": "TcpScanner", "self_delete_in_cleanup": true, "serialize_config": false, "singleton_mutex_name": "{2384ec59-0df8-4ab9-918c-843740924a28}", diff --git a/monkey/monkey_island/cc/services/config.py b/monkey/monkey_island/cc/services/config.py index dc0ecada8..62cc4e641 100644 --- a/monkey/monkey_island/cc/services/config.py +++ b/monkey/monkey_island/cc/services/config.py @@ -27,7 +27,7 @@ ENCRYPTED_CONFIG_ARRAYS = \ # This should be used for config values of string type ENCRYPTED_CONFIG_STRINGS = \ [ - + ] From 3dfc7242aa10d74425067c545a7ecf4fdbba2000 Mon Sep 17 00:00:00 2001 From: Daniel Goldberg Date: Wed, 12 Sep 2018 19:34:14 +0300 Subject: [PATCH 3/6] Remove all usage of scanner_class --- monkey/infection_monkey/monkey.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index 7fe31da40..9c727d53f 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -143,7 +143,7 @@ class InfectionMonkey(object): finger.get_host_fingerprint(machine) ControlClient.send_telemetry('scan', {'machine': machine.as_dict(), - 'scanner': WormConfiguration.scanner_class.__name__}) + }) # skip machines that we've already exploited if machine in self._exploited_machines: From 372ffeaa048d126bd26fba342f4a4ce2272ca2bb Mon Sep 17 00:00:00 2001 From: Daniel Goldberg Date: Sun, 6 Jan 2019 17:00:34 +0200 Subject: [PATCH 4/6] Remove scanner class from schema --- monkey/monkey_island/cc/services/config_schema.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/monkey/monkey_island/cc/services/config_schema.py b/monkey/monkey_island/cc/services/config_schema.py index d4d294afc..fbbe21fe3 100644 --- a/monkey/monkey_island/cc/services/config_schema.py +++ b/monkey/monkey_island/cc/services/config_schema.py @@ -400,18 +400,6 @@ SCHEMA = { "title": "Classes", "type": "object", "properties": { - "scanner_class": { - "title": "Scanner class", - "type": "string", - "default": "TcpScanner", - "enum": [ - "TcpScanner" - ], - "enumNames": [ - "TcpScanner" - ], - "description": "Determines class to scan for machines. (Shouldn't be changed)" - }, "finger_classes": { "title": "Fingerprint classes", "type": "array", From c572e515a16aa9686cde05c65b5c1027f85494cb Mon Sep 17 00:00:00 2001 From: Daniel Goldberg Date: Sun, 6 Jan 2019 17:40:14 +0200 Subject: [PATCH 5/6] Let us properly fingerprint using ping --- monkey/infection_monkey/network/ping_scanner.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/monkey/infection_monkey/network/ping_scanner.py b/monkey/infection_monkey/network/ping_scanner.py index 075b57669..cad7e5bcb 100644 --- a/monkey/infection_monkey/network/ping_scanner.py +++ b/monkey/infection_monkey/network/ping_scanner.py @@ -59,10 +59,10 @@ class PingScanner(HostScanner, HostFinger): if regex_result: try: ttl = int(regex_result.group(0)) - if LINUX_TTL == ttl: - host.os['type'] = 'linux' - elif WINDOWS_TTL == ttl: + if (ttl > LINUX_TTL) and (ttl <= WINDOWS_TTL): host.os['type'] = 'windows' + if ttl <= LINUX_TTL: + host.os['type'] = 'linux' return True except Exception as exc: LOG.debug("Error parsing ping fingerprint: %s", exc) From 151ec3dbc9e63bdd5da95d7b7d1a1921882ce8ec Mon Sep 17 00:00:00 2001 From: Daniel Goldberg Date: Sat, 26 Jan 2019 20:11:38 +0200 Subject: [PATCH 6/6] Fix TTL split logic --- monkey/infection_monkey/network/ping_scanner.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey/infection_monkey/network/ping_scanner.py b/monkey/infection_monkey/network/ping_scanner.py index cad7e5bcb..cbaecedfb 100644 --- a/monkey/infection_monkey/network/ping_scanner.py +++ b/monkey/infection_monkey/network/ping_scanner.py @@ -59,10 +59,10 @@ class PingScanner(HostScanner, HostFinger): if regex_result: try: ttl = int(regex_result.group(0)) - if (ttl > LINUX_TTL) and (ttl <= WINDOWS_TTL): - host.os['type'] = 'windows' if ttl <= LINUX_TTL: host.os['type'] = 'linux' + else: # as far we we know, could also be OSX/BSD but lets handle that when it comes up. + host.os['type'] = 'windows' return True except Exception as exc: LOG.debug("Error parsing ping fingerprint: %s", exc)